i'm wes.. i'm here to 
help you share data. 



collectiveintel. org 
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china is going to steel 
all your warez. 
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your bios is phoning 

home. 
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all of our natural gas 
pipes are going to blow 
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no one can hack in 
their sleep... 



Thursday, May 23, 13 



... and be on the look out for 

some guy who works for 
"twitter" who might be trying 

to bump ugglies with your 
mobile ...then send all my info 
to nigerian scammers who will 
try to get me to fly to europe 
so they can haz all my monies... 
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we're screwed. 
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whoami 



we're the north american .edu CSIRT 

we operate a large (very active) trust 
community 

we build tools (CIF) 

we travel, foster relationships (here i am!) 

we drink beer (it's not a good talk, unless 
your hung-over) 



Thursday, May 23, 13 



some context 



mostly north america (few scattered throughout 
other english speaking countries) 

mega v4 and v6 allocations 

mega connectivity (I0G - 1 00G), inter-continental 

BYOD: since the beginning of the inter-webs. 

culturally diverse (students, staff, operations, 
regions, etc) 
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big-data: solved! 
now what do i do? 



(the next ten years) 
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COl-FS HARBOUR 
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Australia's big things 

From Wikipedia, the free encyclopedia 



The big things of Australia are a loosely related set of large structures, 
some of which are novelty architecture and some are sculptures. There 
are estimated to be over 150 such objects around the country, the first 
being the Big Scotsman in Medindie., Adelaide, which was built in 1963. 

Most big things began as tourist traps found along major roads between 
destinations. 

The big things have become something of a cult phenomenon and are 
sometimes used as an excuse for a road trip, where many or all big 
things are visited and used as a backdrop to a group photograph. Many 
of the big things are considered works of folk art and have been heritage- 
listedJ 1 - 
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wait, what about the 
last ten years? 
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collectiveintel.org 



HdW To Kill A 

ZOMBiE 
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Document the Observation 

General Details 

Server ses^ga 



Hastname/IP*. ".2.3.4 
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Hostnama/lP: floogle.c<wn 
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Refer to the confidence taxonomy flere 



Seventy Low ; 

flsfer Hi the severity taxonomy here 
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ff.ff. 2r,?&60 S9 



Add Alternative ID 
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Run a New Query 



Serv&r: ■••■<* 



Quory: gcogfe.com 



Log Query: g[+) 



Results for g009le.com 



Saiv#r Nam*; s* s-qa 
Feed Restriction: RESTRICTED 
Tims: 2m3-Q2-Q4T1 B:Q1 WZ 
Export: Texf Table CSV 



IrtddentMeta Additiona* 
Data Data 



restriction address 

PRIVILEGED rr5l-gw9li.com 

PRIVILEGED n£2.gMgi6.com 

PRIVILEGED ns4.googla.com 

PRIVILEGED ralgoogle.com 

PRIVILEGED ns2,gos)gle.com 



protocol/ports detecttlnw Impact 

2011-07- SuSptCtoS 

16T21:00:47Z nflmeseiw 

2011-D7- fiuspiCMDufi 

16T21:O0:47Z nameserver 

2011-07- suspicious 
16T2 1:00:472 



2011-07- suspicious 

16T2 1;00:472 namesafv&r 



seventy confidence description m *Q 

mwfcjm 10.62* unkrtOwnJl&nl Rested Event Show Data 

Etigw Data 

madfcjm 1 0.625 unknown hurl Related Event Show Data. 

Show Deta 

madum 10.625 unknown. htrr I Related Event Snow Data 

Snow Data 

inetfcjm 1 0.625 unknewnjuml Related Event Snow Data 

Snow Data 



altemativeld [restriction] 

hfttpc/ZsuppOftC lsan-fnx.de/clfja.n- 
rrWviru3ea.ptip?id=91U&i [LIMITED] 

hrtt^/su pportelean-irix.de/clean- 
r™/vinjaaa.php?id=ai14S1 [LIMITED] 

nttpo7suppoftclean-mx.de/ciean- 
m6tfVinjses.pnp'r-id=911451 [LIMITED] 

nttpy/supoortciean-tmde/cean- 
rrW^ruses.php?id=91 1451 [LIMITED) 



suspicious medwm 1O.62& unknown_filml_ri_php Related Event Sfiow Date http^/support,ctean-fnx,de/ciean- 
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Results for google.com 

Sp<vpi Name: sr^.-qn 
FftHl HaatHetian; RESTRICTED 
Tlrtlfc 20 1 3-02 -CKT1 8:01 : 04Z 
Export Text r ade CSV 



Incident Mela Additional 



[EApjid/CrjiljiiM [fctpaid/CoUapw 



restriction 


address 


protocol/port a 


detecttime 


impact severity confidence 


description 


m 


an alternatlveid [restriction] 


PRIVILEGED 


n--s1.soofllft.com 




2011-07- 
1OT1:Q0:47Z 


suspicious medium 10.625 
narrwservfcr 


unkncwrtjitml 


Related Evftfll 
Shew Data. 


Show Data ht1p://support.£l*an-mx-dft/clftan- 

iru^vinu6ftS.php7icJ^ 11451 [U MITED] 


PRIVILEGED 


nxz.googlexom 




2011-07- 
16T210Q47Z 


suspicious medium 10.025 
nameSftrvSr 


unknowrvjumi 


Related Event 
Show Da la 


Show Data hnp://support,cleafi-m:iLdft/cleari- 

mK/vinuS*S.pftp?id^S 11451 [LIMITED] 


PRIVILEGED 


n34.google.corn 




2011-07- 
1fiT2l;00:47Z 


suspicious medium 1 0.625 
name server 


unknownjumi 


Related Event 
Show Date 


Show Data nitp://suppon.cieBn-mH.oWcieaii- 

mxAfmus*s.php?id=S 11151 |UMlTED] 



PRIVILEGED 
PRIVILEGED 
PRIVILEGED 
PRIVILEGED 
PRIVILEGED 
PRIVILEGED 
PRIVILEGED 
PRIVILEGED 



rus3.google,CDm 
ns2.gjoaglB.coni 
ni3.googlft.com 
ns4.googlft.com 
nsl.googlexom 
ns2.gaogle.com 
n^.google,com 
ni4.gcOgle.com 



20H-Q7- 
16T21j00:47Z 

2011-08- 
14T11;59;19Z 

201 1 -QB- 
14T11:5B:19Z 
201 1 -08- 
14T11:59;19Z 

2011-08- 
14T11;59:19Z 

2011-09- 
fJ2Tl2:00:2TZ 

2011 -Of 
Q2T12:00:21Z 



n 10.625 
n 10625 

medium 10.625 



suspicious 
name server 

suspicious 
name server 

suspicious 
name server 



suspicious. medium 10.625 
namese-rvar 

suspicious medium 10.025 
name server 

suspicious r 
name server 

suspicious r 
name server 



r 10.625 
n 10.625 

menu"i "O.G?S 



unlcncwri_h(ml Related Event Show Data n(tp;//9uppon^cleBn-mx,de/clesn- 

Show Data mx/vinjses.php?id=S 1 1 451 (Li MITED] 

unkncwn_rHml_rfi_php Related Event Show Data hHp://support.cleBn-mx-de/claan- 

Show Data mK/y.njses.php?id^67566 |LJ MITED] 

unknown html rfi php Related Evftnt Show Data http://support.cean-mx.cle/clBan- 

Show Data mxArirusw.|)hp?icJ^W75e& (LI MITED] 

unknown jiin%^fl_php Related Event Show Data htipj/supoortciean-mx-dft/eiftafi- 

Show Data mx/vinuSft«..php?icJ^Se7565 [V MITED] 

uniknown_riilml_ffl_pnp Related Event Show Data nttp^/supportclean'mjLde/cleari' 

Show Date nWiriruSftS.pftp?id^9675&8 [U MITED] 

tr^t)Ziagent.fl92926.fl Related Event Show Data nttp;//supportciean-mx.de/cisan- 

Show Data mxArif\is#s.phip?id=SS8753 [U MITED] 

trW2fagent.692926.6 Related Event Show Data hltp;//support,cleBin-mjc,de/clean- 

Show Date mx/viruse3.php?id=S8S753 [U MITED] 

»t2figtfltjrae9B8J 



Related Event Show Data http://supportclean-mx.de/clflan- 
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imagine a "box 



that worked like google personalized search 

that not just read, but understood your email 
and favorite blogs 

that communicated seamlessly with your 
network infrastructure (firewalls, IDS, name- 
servers, etc) in real-time 

that could be peered with your close, trusted, 
partners "box" to exchange information 
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now imagine that "box 



leveraged existing science intelligence 
analytics (bio, chem, etc) to analyze the data 

could handle trillions of observations per 
day (netflow, passive dns, log flow, etc) 

magically manipulated your infrastructure 
into mitigating attacks on the fly 
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I... was an open and 
free framework 



^ 



K 



A 



12U* 



^M. 
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we already know how 
to do this... 

• pick a messaging framework (zeromq, 
xmpp, http, smtp, pigeon, horse, donkey, 
camel, hobbit..) 

• pick a storage framework (hadoop, 
cassandra, sql, sqlite, clay tablets) 

• pick a normalization protocol (iodef, csv, 
etc) 

• pick an msg/api spec (protobuf, rest, soap) 
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pretend for a minute 

youVe got all that in- 

house, what's next? 
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information sharing is 
really all about... 



messaging 

storage 

analytics 



communication 



scale 



warfare 



economics 



trust 



people 
culture 



Thursday, May 23, 13 



information sharing is 
really all about... 



peering. 
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peering. 

cultural barriers (easy: requires only beer) 

language barriers (easy: requires beer and 
google) 

trust barriers (harder: requires more beer) 

scale barriers (harder: requires more beer) 

protocol barriers (hard: requires, hard- 
liquor, hangovers, etc) 

legal barriers (easy: they work for you) 
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where we fail 



most [international] information sharing 
communities are great aggregators of 
internally shared information 

most cross-hub action happens by those 
who are in many communities 

we're actually just inhibiting the data- 
sharing process 
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peering. 



this is really a"BGP" problem 

it's been solved before 

it's been completely screwed up before 

where the wizards stay up late? the origins 
of the internet.... 
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peering. 



Jabber (XMPP) 

SMTP 

Skype 

SMS/iMessage 

Torrents 

BGP 



BBS / Forums 

Prodigy 

AOL 

CompuServe 

IRC 
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peering. 



teh Facebook is a social platform for 
connecting you with your friends parents? 

teh Linkedln is a social platform for 
connecting you with your friends who have 
money and would be dumb enough to hire 
someone like you 

teh google plus is a social platform for 
security peeps who have no desire for 
Facebook shenanigans 
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peering. 



AusCERT is a social platform for 
connecting Australian security professionals 

the APWG is a social platform for 
connecting e-crime researchers 

the REN-ISAC is a social platform for 
connecting american security professionals 
in education 
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you should be 
thinking... 

if you're not already doing automated data- 
sharing, why not? 

does your current infrastructure support 
automated data-sharing? 

have you executed information sharing 
agreements with your partners? 
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you should be 
thinking... 



peers need to build trust (we're not just 
pushing packets) 

peers need to travel (here i am!) 

peers need to leave their ego's at the door 
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end-game 



cross sector coordination 
cross culture coordination 
change in economics 
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